What are the security risks of basic authorization in SOAP requests?

Question

What are the security risks of basic authorization in SOAP requests? I know that the username and password are concatenated and sent in Base64 in an HTTP header on every subsequent request, but it is still popular in SOAP WS.

Answer 1

I can think of three points:

• You must use HTTPS, or password will be sent in plaintext. But you need HTTPS for all authentication so this is not specific to basic auth. (I wouldn't really care about the fact that the password hits the network multiple times instead of once. Either you use HTTPS, and then it is fine, or you don't, and then just sending it once is already a catastrophy.)
• Browsers will have to cache the password instead of just a temporary token of some sort. Maybe not a huge issue, but still.
• You must make sure that the passwords are properly hashed on the server side. This is not always the case for common implementations, so be wary! Since the password has to be checked every request, proper password hashing comes with a higher performance penalty, especially if it is a busy system.